Policy Contents

UB Network Connection Policy

Summary

Defines the integrity of UB’s data communication network, including how electronic devices shall be connected to UB’s data communication network, how devices shall be secured from Internet threats, and what actions will be taken when a devices becomes compromised.

Policy Statement

Appropriate Network Extension

All extensions to UB's data communication network outside of a room boundary shall be done by CIT. Network segments, routers, wireless access points or local area networks may not be attached to the network without written prior approval by the CIO. The addition of network devices to expand port capacity to multiple devices within the same room is generally permitted without prior approval, providing these devices do not cause interference to other users. Appropriate Network Connection

A principal user who connects a device to the university network is responsible for all network activity emanating from that device. The principal user shall work with appropriate staff to secure the device against compromise. Specifically, any device connected to the university network must (when applicable):

Have an authorized fixed IP address or be appropriately registered for DHCP

Be configured to run a supported version of an operating system for which patches for newly identified security breaches are developed and distributed in a timely manner

Be configured in such a way that known vulnerabilities - such as open FTP ports and open relays - are eliminated or minimized

Be maintained in such a way that patches which close known security breaches are applied as soon as they become available

Have antivirus software installed on it that runs continuously and is updated regularly

Be scanned and determined to be free of viruses and other known compromises that may have been introduced to its operating environment

Be secured physically

Be accountable to the principal user and

Be used for appropriate purposes related to the educational and research missions of the university or to the conduct of its legitimate business activities

Further, it is highly recommended that firewalls be installed and run continuously on devices whenever possible and practicable. Securing Compromised or Vulnerable Devices

A principal user who connects a device to the university network is responsible for working with appropriate staff to secure the device against compromise as soon as actions to address known vulnerabilities are identified. If a device is compromised, the principal user is responsible for working with appropriate staff to ensure that collateral risks or damage to the information technology infrastructure of the university, other devices on the university network, and other Internet-connected devices and networks around the world are prevented or minimized.

A compromised device (see definitions below) should be immediately secured, shut down, or disconnected from the university network by the principal user. The principal user is responsible for initiating or cooperating with efforts to secure the device. The principal user is also responsible for initiating or cooperating with efforts to identify and notify other principal users whose devices may have been affected. Principal users who reconnect disconnected devices that they know are compromised and have not yet been secured are in violation of university policies and are subject to further actions and, possibly, sanctions.

As a last resort, in the cases of compromised devices connected to the university network as specified in connected definition 1 and 2 below, when time constraints permit no other course of action or when a principal user is unavailable or uncooperative, it may be necessary to suspend temporarily the network connection of the compromised device. This action should be taken, preferably, by the IT service organization responsible for supporting the principal user in question.

When a campus computer is actively attempting to compromise the integrity and or availability of UB's IT infrastructure, it will be disconnected from the network immediately and the owner or IT support staff will be notified of the problem and the protective actions taken.

As a last resort in the cases of compromised devices connected to the university network as specified in connected definition 3, 4, 5, 6, or 7 below, when time constraints permit no other course of action or when a principal user is unavailable or uncooperative, it may be necessary for CIT to suspend temporarily the principal user's UBITName. This action should be taken, preferably, only after the principal user and (when applicable) the IT service organization responsible for supporting the principal user in question have been notified. When a principal user who is a faculty or staff member cannot be notified prior to this action or is unresponsive or uncooperative, every reasonable effort will be made to communicate with (in ascending order): the principal user’s IT support organization, the affected department chair or head, the affected dean or vice president, or the CIO. In such an event, the parties who would normally be consulted should be notified of the suspension as soon as possible after the action is taken.

Such temporary disconnections and suspensions should be imposed only until such time as the precipitating problem has been redressed. When a principal user who is a faculty or staff member cannot be notified prior to this action or is unresponsive or uncooperative, every reasonable effort will be made to communicate with (in ascending order): the affected department chair or head, the affected dean or vice president, or the CIO. In such an event, the parties who would normally be consulted should be notified of the disconnection or suspension as soon as possible after the action is taken.

Principal users are strongly encouraged to seek the advice of an IT support professional before reconnecting a previously disconnected or suspended device. If such a device is reconnected to the network and has not been secured, further action may be necessary to ensure that the device is properly secured.

Disconnection or suspension is considered a course of action to be avoided whenever possible and to be taken only when deemed necessary in the measured professional opinion of responsible parties in the Office of the CIO, CIT, or the IT service organization responsible for supporting the principal user in question. Within a reasonable time after the disconnection or suspension is imposed, a post-mortem analysis of the sequence of events leading to the suspension should be conducted on university owned devices. All affected or interested parties should be invited to participate in the post-mortem. The primary purpose of the post-mortem should be to determine - without recrimination - whether the suspension was justified by the facts and whether alternative, equally effective actions could have been taken. Personally owned devices must be remediated by a qualified professional before reconnection to the university network.

Background

One of the major shared resources of the university is its data network. The university's ability to conduct its business is dependent on reliable, stable access to the network and through the network to the Internet. University network and Internet connectivity can be jeopardized by computers, workstations, servers, and other devices that extend the network without authorization, or are not adequately protected from network based threats. Protection is optimized only when principal users maintain the operating systems of their devices, install, continuously run, and regularly update antivirus software - when applicable, and apply patches that close known security breaches as soon as they become available.

Compromised or vulnerable devices connected to the university network present potential harm to the network, to other devices on the network, to other networks and the devices attached to them, and to the overall standing of the university's information technology enterprise. Delays in responding to compromised devices could result in losses of data and productivity, other operational problems, legal consequences, and harm to the university's reputation. Consequently, it is imperative that a compromised device be secured in order to eliminate the risk it poses. If a compromised device is being actively used in a way that threatens the integrity of the university network or other devices on the university network, it may be necessary to disconnect it temporarily from the network and secure it before it is reconnected. Because vulnerable devices may at any time be compromised, they must be remediated expeditiously.

Applicability

This policy applies to the entire university data communication network regardless of its medium or form, and to all those who handle university information (faculty, staff, students, third party contractors, and any others). This policy supersedes previous network policies: Open Port Policy, Policy on Network Port Access, and ResNet Port Access.

Definitions

For the purposes of this policy, a device is considered compromised once it has been substantiated that:

Its security is breached and that unauthorized processes or user(s) have access to and are able to control its data or resources

It has been configured in a way that could threaten, harm, or interfere with the operation, integrity, or network access of other devices or

It is actively being used to threaten, harm, or interfere with the operation, integrity, or network access of other devices

Connected

A device is considered connected to the university network when it is attached:

To a trusted administrative Ethernet port (not requiring authentication for its use) on the network

To a ResNet port in the Residence Halls

To an open Ethernet port (requiring authentication to a firewall for its use) on the network

To a wireless access point (requiring authentication to a firewall for its use) on the network

Through an ISP via a VPN (virtual private network) session; via connections established at institutions affiliated with the university, such as hospitals or

By any means that enables its access to the university network

Device

A computer, workstation, server, mobile device, cellular telephone, or any other instrument capable of connecting to and interacting with the university network and other devices on the network.

Principal User

An individual, who owns, is the primary user of a device, or the individual or group to which responsibility has been delegated for the administration of a device. Examples: the person who exclusively uses a laptop, the person who oversees a device shared by others, or the IT professional charged with administering a publicly available device.

UB’s Data Communication Network or University Network

The collection of computers and other hardware and software components interconnected by communications channels, both wired and wireless, that allow sharing of resources and information at UB, and to the Internet. Not included in the UB Data Communication Network are private collections of devices connected only to themselves for research or commercial purposes.

Vulnerable

A device is considered vulnerable once it has been substantiated that known actions necessary to prevent it from being compromised have not been taken - despite those actions having been recommended by the Office of the CIO or by entities charged by the CIO to secure the university's computing and networking infrastructure.

Policy Review And Update

The Vice President and Chief Information Officer or his designee will periodically review and update this policy as needed. Questions concerning this policy should be directed to the Office of the Vice President and Chief Information Officer.

Compliance

Violations of this policy will result in appropriate disciplinary measures in accordance with university policies, applicable collective bargaining agreements, and state and federal laws.